Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-969

Clarify if a newer RHSA invalidates an older one

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Not a Bug
    • Icon: Normal Normal
    • None
    • None
    • secdata
    • False
    • Hide

      None

      Show
      None
    • False
    • Moderate
    • Very Likely
    • 0

      In November there was an RHSA published which addressed CVE-2019-12900 for bzip2 https://access.redhat.com/errata/RHSA-2024:8922 

      For RHEL 8 the fix version was indicated as bzip2-1.0.6-27.el8_10. 

      Then in January a new RHSA was published for the same CVE and package.

      https://access.redhat.com/errata/RHSA-2025:0733 

      For RHEL 8 the fix version is bzip2-1.0.6-28.el8_10.

      Now RHEL 8 images with bzip2-1.0.6-27.el8_10 are flagged for this CVE, for example https://catalog.redhat.com/software/containers/ubi8/ubi/5c359854d70cc534b3a3784e?image=6776ad7eb365a2d9feb44ede 

      However, the older RHSA page is still up https://access.redhat.com/errata/RHSA-2024:8922 and the CVE page links to it https://access.redhat.com/security/cve/CVE-2019-12900  This data is also still included in the vex security feed https://security.access.redhat.com/data/csaf/v2/vex/2019/cve-2019-12900.json

      There is no clear indication that the fix versions listed in the older RHSA don't actually address the CVE that they were meant to address.

      Is this expected? Would this mean that when a new RHSA is published for the same CVE+product+package that automatically invalidates older RHSAs?

              yuwang@redhat.com Yuguang Wang
              ayamburg Andrey Yamburg (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: